18 Dec Holiday “Freeze” Can Leave Cyber Defense in the Cold – 3 Steps to Limit the Chill
By Tom Young, Executive Vice President of Worldwide Sales
It’s that time of year – the infamous year-end “freeze.” The freeze typically refers to the blackout most enterprises and agencies enforce on changes to production IT systems for fear of something negatively impacting holiday business (or worse, people’s vacations). But increasingly, it’s also a “freeze” of activity. Progress on projects, technology evaluations, and threat research slows to a crawl, save those tied to MBOs, KPIs, or some other business school TLA for things you have to finish to get paid. As a result, many firms are down to a skeleton Security Operations Center (SOC) crew over the holidays.
Don’t let your cyber defense guard down during the bad guys’ busy season
All of this leaves cyber defense at perilously low levels considering the increased risk. If the last year has shown us anything, it’s that the bad guys take no holidays, and they certainly don’t have a holiday “freeze.” In fact, it’s quite the opposite. This is their busiest time of the year, particularly with the record level of on-line holiday-oriented activity from pre-made holiday cards with pictures of the kids and/or dogs, gift-buying, and last-minute travel purchases.
The fact is, many people just don’t want to be bothered. “I don’t want any integration work due in the days leading up to Christmas, or my <husband/wife/partner/significant other> will kill me.” Having made a career in Sales, my family and I are all too familiar with the year-end rituals of working through the holidays, late into the nights and tracking orders as the ball drops in Times Square. I’m not saying that’s ideal, but it’s what has to be done.
I’m going to date myself here, but I recall when Y2K was about to hit, and then online behemoth, AOL, required staff to be at work in their data centers on New Year’s Eve in case the sky started falling, as some predicted it would (it didn’t, of course). AOL Management even threw a non-alcoholic fete (or so I’m told) to liven the spirits of those forced to work on this famous party night (how many times was Prince’s, “1999” played?).
Don’t get me wrong, I’m not saying everyone should staff up and work through the holidays, which are a sacred a tradition around much of the world. However, I am saying it’s not the time to let our guard down, accept excuses for putting off work that should continue, or lessen our vigilance. This is war, a cyber war, where unlike WWII combatants who called an impromptu Christmas truce, the enemy is relentless and operates at the speed of light. Unfortunately, for us in the world of Cyber defense, there should be no rest, or “freeze” for us, either.
Three steps to maintain year-end cyber defense vigilance
So, here are three suggestions for helping prevent the year-end “freeze” from putting a chill on your Cyber defenses:
- Prioritize: Quickly review, and revise if necessary, the priority ranking of assets most critical to protect during this holiday period, so that security staff is fully aware, and acknowledges where their focus must be. This sounds simple, and many will say, “we’ve done that,“ but I bet many organizations would be surprised at the results if they polled their holiday skeleton SOC crew about which are the most critical enterprise assets. This does not need to be an exhaustive review, but an effort to ensure all parties are clear and that communications regarding these priority assets are clear and timely.
- Cross-train: Task resources from other functions required to be on call during the holidays (e.g., Help Desk) with allocating a portion of their staff to the SOC, and cross-train them in the processes and procedures for Alert Triage, or Tier 1 Operator duties. This enables the few senior, and highly skilled resources available to focus on items that pass through the first line of defense/review. For example, set-up several Lunch-n-Learn sessions on the checklist a Tier 1 Operator goes through when triaging an inbound alert that’s not able to be automatically closed. Share with them the tools and how to use them, such as look-up an IP address in VirusTotal and/or Whois. This also helps alleviate some of the fatigue that’s making retention such a challenge (see Syncurity Founder & CSO, JP Bourget’s white paper, “Preventing Analyst Fatigue”).
- Automate & Orchestrate: Use automation to reduce the SOC workload, particularly for Alert Triage, allowing limited staff to quickly see and rank risks to priority assets among the reams of threat intel and alerts pouring into the SOC. For example, when an alert for suspicious traffic from an IP address is received, use APIs to automatically validate this traffic is to/from a high priority asset by checking the CMDB, if it impacts a VIP user by checking AD, and check the IP against a variety of private and public threat intelligence sources. If this is a high-value asset and/or user, and if more than 2 rank sources rank this address as malicious with high confidence, escalate for further investigation. Next, address these more quickly through orchestration. For example, use APIs into the security infrastructure directly to block malicious IP at the perimeter, proxy and mail gateway, and then leverage APIs to the EDR platform to reimage any impacted endpoints. If an organization is not ready for the SOC to talk directly to the infrastructure for these actions, at least start change control procedures necessary to implement the changes, such as generating IT tickets to the appropriate teams, so that they can respond appropriately, to potential risks that arise relative to these priority assets (see Syncurity Founder & CSO, JP Bourget’s Dark Reading article, “Finding Your Appetite for Automation (And Why it Matters)”).
Don’t let the holiday freeze lower your cyber defenses
The holidays can be a wonderful time for individuals, and time off is a proven, necessary anecdote to employee burnout. There’s sound logic in the origin of the IT year-end “freeze.” However, this is also a time for organizations to be assertive with their staff, and creative in their approach to ensuring they remain cyber-vigilant and leveraging technology to offset the challenges maintaining, retaining, and training limited SOC staff. What’s your answer for warming up the chill of year-end “freeze”? Join the conversation.